Redundant Gateways

Unanswered Question
Sep 15th, 2009

Hello All,

I have a site that has 2 locations connected by a point to point. Each site reaches the Internet through a gateway local to it but can also get to the Internet out the other site's gateway if need be by just changing the default gateway on the host computer. I would like to set up some redundancy that says if teh Internet cannot be reached from Site A using Site A's gateway then use Site B's gateway. At each site there is a PIX 501 service as the DG and then a router in front of the PIXs for Internet Connectivity. I would like this to happen automatically. Any help is appreciated.

All replies rated!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Jon Marshall Tue, 09/15/2009 - 07:30

Angel

Could you just clarify. You say at each site the DG is the pix 501. And you also say that if you need the host to use the other site for internet you simply change the default-gateway.

What do you change the default-gatway to ?

Jon

angel-moon Tue, 09/15/2009 - 07:47

Hey Jon,

If the DG at Site A is the inside interface of the PIX at 10.0.0.1 to get hosts at Site A to use the DG at Site B i just change the DG on teh host to 192.168.0.1 which is the inside interface of the PIX at Site B. Works fine manually. I would love a solution that reroutes if the router is up but the ISP service is down, the router is down or the PIX is down but I will take what I can get.

Jon Marshall Tue, 09/15/2009 - 08:09

Angel

The sites are connected via a point-to-point link. What devices are you using for this link.

Basically you are going to need a router(s) somewhere within your site(s) to make this work. The pix 501s don't have the functionality for this.

Jon

angel-moon Tue, 09/15/2009 - 10:16

Hello Jon,

we have a 2801 on one side and a 2621XM on the other side

Jon Marshall Tue, 09/15/2009 - 11:12

Angel

Then you should be able to automate this with reliable object-tracking. You will however need to change the default-gateways from the pix firewalls to the LAN interfaces of the routers.

Is this possible for you to do ?

If it is i will get a config posted up for you tomorrow.

Jon

angel-moon Tue, 09/15/2009 - 12:41

Thanks Jon,

If we change the DG from the PIX to the routers then the outbound traffic could not be inspected and that can't happen. Can the ASA meet the requirements

Thanks!

Jon Marshall Tue, 09/15/2009 - 15:46

Angel

"f we change the DG from the PIX to the routers then the outbound traffic could not be inspected and that can't happen. Can the ASA meet the requirements"

Sorry, didn't explain this very well. The default-gateway would be changed to the router but outbound traffic ie. to the Internet still has to go via the pix firewalls ie. you would add a default-route to each router pointing to the corresponding pix.

Would that be okay ?

Do you have ASA devices handy ?

Jon

Actions

This Discussion